What I don't quite get is how this helps with the kind of upgrades we are actually doing - security upgrades mostly. In those cases we never want to roll back, we don't want to switch over gradually, we basically want to apply a single well-contained change (that comes pre-tested and hopefully doesn't break anything) globally and right now. All the things NixOS provides you can have with a modern Gentoo installation and careful snapshotting, except the possibility to have a system where every step of the upgrade is atomic and the system as a whole is still in a well defined state. But in critical setups you'll have two systems anyway, one where you test the change and one in production. And with security updates you are in a "bad state" as soon as the security issue goes full disclosure (ok, you learn that you were in a bad state all the time) and no intermediary step is interesting until you upgraded all consumers/dependencies of the packet in question. From this view a half-upgraded NixOS is working, but insecure, while a half-upgraded Gentoo is perhaps not working and insecure. But how does "working, insecure" help I wonder.